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ABSTRACT 


Semiquantum key distribution allows a quantum party to share a random key with a “olassical” party who only can prepare and 
measure qubits in the computational basis or reorder some qubits when he has access to a quantum channel. In this work, we 
present a protocol where a secret key can be established between a quantum user and an almost classical user who only 
needs the quantum ability to access quantum channels, by securely delegating quantum computation to a quantum server. We 
show the proposed protocol is robust even when the delegated quantum server is a powerful adversary, and is experimentally 
feasible with current technology. As one party of our protocol is the most quantum-resource efficient, it can be more practical 
and significantly widen the applicability scope of quantum key distribution. 


Introduction 

Conventionally quantum key distribution requires that two remote parties (usually called Alice and Bob) should have somewhat 
quantum capabilities to establish a shared key, such as the ability of preparing and measuring qubits in different bases. However, 
not all of the users own enough quantum resources or have equal quantum technologies in reality. Moreover, a protocol 
sometimes may not need to be completely quantum to obtain a significant advantage over all its classical counterparts. Based on 
these two points, not fully quantum key distribution was first introduced by Boyer et al.' where secure key distribution becomes 
possible when one party Alice is quantum, yet the other party Bob has only “classical” capabilities, which means someone is 
limited to perform the following four operations: (1) prepare qubits in the computational basis {|0), 11)}, (2) measure qubits in 
the computational basis {|0), 11)}, (3) reorder qubits, and (4) access quantum channels. The party Bob with such limitation is 
customarily called “classical” Bob, and this kind of protocol is termed as “quantum key distribution with classical Bob” or 
“semiquantum key distribution (SQKD)”. 

The first SQKD protocol was proposed in 2007 by using four quantum states, each of which is randomly prepared in the 
rectilinear or diagonal basis.' The idea was extended further and two similar protocols were presented in Ref. 2. One is based 
on measurement and the other is based on randomization. Almost simultaneously. Ref 3 showed the SQKD protocol in Ref. 1 
can be simplified by employing less than four quantum states and proposed five different SQKD protocols using three quantum 
states, two quantum states, and one quantum state, respectively. In 2011, a more efficient SQKD protocol was proposed based 
on entangled states,^ where the qubit efficiency is improved to 50%, compared with 25% of the protocol in Ref. 1. Recently, 
Ref. 5 proposed an SQKD protocol in which the “classical” party does not need the measurement capability, and just needs 
preparing, sending and reordering qubits. All these SQKD protocols generally assume the existence of an authenticated classical 
channel, which can be removed by preshareing a master secret key between the communicants.® Furthermore, several multiuser 
SQKD protocols were put forward.^"® The protocol in Ref. 7 allows quantum Alice to share a key with several “classical” 
participants Bobi, Bob 2 , • • •, Bob„. The protocols in Refs. 8,9 allow two “classical” participants to generate a shared key with 
the aid of an untrusted quantum server. In addition, other semiquantum cryptographic issues beyond SQKD have also been 
studied to some extent. 

However, in the all above-mentioned semiquantum cryptographic protocols, so-called “classical” users are not really 
classical since they still need some quantum ability of preparing and measuring qubits in the computational basis, or quantum 
memory to reorder qubits. That means they still require corresponding quantum devices to perform certain operations. Then we 
give a protocol for a nearly classical party Bob who does not possess any quantum device except those necessary for accessing 
quantum channels to share a key with quantum Alice by the delegation of quantum computations (DQC). In other words, such 
Bob does not need to implement operations (1), (2), and (3), and only requires the ability to perform the operation (4). But in 
the presented protocol, there may be not only an independent eavesdropper Eve attempting to obtain some information about 


the shared key, the delegated server Charlie also may become a powerful adversary. Note that the delegated server can be 
Alice if she can implement some complicated quantum operations that Charlie needs. But in this case, Charlie becomes a 
trusted quantum server and Eve is the only attacker. It is obvious that any attack that Eve tries to do may be absorbed into the 
untrusted Charlie’s attack. Therefore, we will show the proposed SQKD protocol is robust like typical SQKD protocols even 
when Charlie is malicious. 

The review of DQC 

In order to design the new SQKD protocol, we will utilize the technique of DQC. It is quite useful and attracts much attention 
recently since it can enable users with limited quantum power to perform quantum computation while still keeping users’ 
data private. Eor instance, Broadbent et al. presented the first universal protocol for DQC where the client only needs to be able 
to prepare single-qubite states, and a double-server protocol where the client can be totally classical with the assumption that 
two servers should be non-communicating.*^ Morimae and Eujii utilized the one-way hashing distillation model to skillfully 
realize entanglement distillation for the double-server protocol in Ref. 19 and gave a modified protocol^** to adapt to the case 
after entanglement distillation. Then Sheng et al. employed hyperentanglement to give a much simpler way to achieve secure 
distillation for the same double-server protocol with the success probability of 100%,^* which will greatly increase the practical 
application for the protocol in a noisy quantum channel. Recently, Li et al. removes the demanding requirement that two servers 
cannot communicate with each other in double-server BQC protcols and gave a more practical DQC protocol.^** Although 
many protocols have been proposed, there are mainly three kinds of methods to achieve DQC, including applying universal 
quantum gates on encrypted qubits,*^’ *® hiding from the remote quantum server a circuit to be implemented, known as blind 
quantum computation,*^"^* and computing on encrypted qubits by multiple-round quantum communication and complicated 
verification mechanism.^^’^^ We will use the idea of the typical DQC protocol on encrypted data in Ref. 15. This protocol 
can allows a user whose quantum power is limited to encryption and preparing random BB84 states, to delegate the execution 
of any quantum computation on encrypted data to a remote quantum server with only one round of quantum communication. 
It offers perfect privacy against any adversarial server, although it does not provide a method to verify the result. We briefly 
review the protocol in the following. More details can be found in Ref. 15. 

(Dl) A client encrypts her qubits 10) with the quanmm one-time pad and then sends the encrypted qubits \(j))enc to a 
quantum server. Specifically, for each qubit |0,), the client performs a combination of Pauli X and Z operations on it to obtain 
|0!)ene =X"Z*'|0,), where a and b are randomly chosen from {0,1} and form the key. Obviously, with the information of a and 
b, the encrypted qubit can be decrypted by reversing the Pauli X and Z rotations. 

(D2) The server implements an agreed on quantum computation U on the encrypted qubits to get t/(|0)e„c)- U can be 
universal and achieved in a general quantum circuit which can be decomposed into a serial of the following operations: quantum 
gates in a universal gate set {X, Z, CNOT, H, P, R}, auxiliary qubits prepared in |0), and single-qubit computational basis 
measurements, where the Pauli gates X and Z, the two-qubit gate CNOT, the single-qubit Hadamard gate H, the single-qubit 
phase gate P, and the non-Clifford gate R, have the following actions: X|y) —^ jy© 1), Z|y) —^ (~l)'*|y)> CNOT| 7 )|k) \j)\j(Bk), 
H|;) ^ (|0) -f (-l)Q /V2, P|;) ^ (/)^'|;), and R|;) ^ for j G {0,1}. Eor any Clifford gate including X, Z, CNOT, 

H, and P on encrypted qubits, the client does not require any additional classical or quantum resource, and only needs to know 
what gates are implemented to update the decryption key. But for the non-Clifford gate R on encrypted data, the client needs 
preparing auxiliary qubits and classical interactions to modify the decryption key. 

(D3) The server returns the output state t/(|0)e„c) to the client who will obtain t/(|0)) by decrypting it with the updated 
decryption key that she can compute. 

Results 

In this section, we first describe the protocol which will be shown to be realized with current technology, and then analyze its 
security and compare it with other typical SQKD protocols. 

The proposed protocol. 

We begin to present the SQKD protocol where nearly classical Bob can generate a shared key with quantum Alice, by delegating 
his quantum computation to a quantum server Charlie. Let n and m be the desired number of sifted key bits and final shared key 
bits, 5 > 0, 0 > 0, and a > 0 be certain fixed parameters, and / be the transmission speed threshold of qubits which will be 
useful for the security of the protocol. The detailed steps of the protocol are given as follows. 

The Quantum transmission phase. 

(SI) Alice prepares N = 16n(l -t- 5) qubits at random and sends them to Bob with a speed greater than or equal to /. Each 
qubit Iv/,) is one of the four states {|0), |1), |-|-) = (|0) -f |l))/-\/2, |—) = (|0) — |l))/-\/2}, where i= 1,2, •• • ,A. Here | (//,■) can 
been regarded as the encrypted result of another state. Eor example, Alice first randomly produces a state |0,), and then applies 
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X"Z* on it to get |y/,), namely |y/,) —X“Z^\(j)i), where a and b are randomly chosen from {0,1} and made up of the encryption 
key. 

(52) As each qubit | y/,) arrives, Bob randomly decides whether to discard the qubit directly or not. For the qubit |v 4 ^.) 
that Bob did not throw away, Bob records its position sj {j G {1,2,- • • ,8n(l + 0)}), transmits it to Charlie, and ask him to 
apply the Pauli gate Usj which is randomly chosen from {X,Z}. We should note that the transmission speed of qubits should be 
quick enough so that Charlie or other attackers cannot distinguish Bob’s choices. We assume that the qubit-transmission speed 
threshold during Bob’s reception is I for preventing attackers to learn Bob’s random choices. If Bob observers the speed value 
is smaller than /, he aborts the protocol and starts a new one. 

(53) After performing the operation Ugj required by Bob, Charlie reflects the qubit Usj \ y/sj) back to Bob still at a speed no 
less than 1. 

(54) For each qubit coming from Charlie, Bob chooses either throws it away, or sends it to Charlie again and asks him to 
measure it in the rectilinear basis R or diagonal basis D. Bob also observes the transmission speed of qubits and then decides 
whether to continue. 

(55) Charlie performs corresponding measurements on the qubits and sends all the measurement results to 

Bob, where 4 e - A8«(i+e)}- 

The Public discussion phase. 

(56) Alice announces the basis corresponding to the state of each qubit ly/,) she prepares. For instance, if |v^,) S {|0),|1)}, 
Alice announces R, otherwise reveals D. 

(57) Bob tells Alice the positions where he chose right bases and then they discard the bits in other positions. There is 

a high probability that at least 2n positions that Alice and Bob should agree. Suppose these agreed positions be indexed by 
Pi,P2G“ }P 2 n- If \ Wpk)i^ ^ {1 • • • ,2n) was prepared in |0) or |+), Alice interprets the bit as 0, otherwise interprets it as 1. 

But for qubits in positions p^, there are four cases occurring in the same probability from the perspective of Bob; (1) the Pauli 
gate X and measurement in the basis R are applied, (2) the Pauli gate X and measurement in the basis D are applied, (3) the 
Pauli gate Z and measurement in the basis R are applied, and (4) the Pauli gate Z and measurement in the basis D are applied. 
For cases (1) and (4) Bob interprets the bit as 1 — and interprets it as for the other two cases. By this method, Alice and 
Bob keep 2n bits. 

(58) Alice and Bob publicly announce and compare n bits to check for eavesdropping and Charlie’s dishonesty. If the 
disagreements exceed an acceptable number, they abort the protocol. Otherwise, they take the remaining n bits as a sifted key. 

(59) Alice and Bob perform purely classical information reconciliation and privacy amplification on the n-bit sifted key to 
obtain the final m-bit shared key. 

The above protocol can be illustrated by a specific example as shown in Fig. 1 . In addition, the presented protocol only 
needs simplified experimental requirements of quantum key distribution plus Pauli gates X and Z, which can be experimentally 
realized using today’s technology.As for the transmission speed threshold of qubits for ensuring attackers unable to know 
Bob’s random choices, namely either to discard qubits or transmit them to the delegated server for further operations, it may be 
not difficult to achieve since one can currently expect at least 1.02M qubits per second for a fiber distance of 20 km and 10.IK 
qubits per second for 100 km.^'* 

Security analysis. 

A SQKD protocol is usually said to be robust if for any attack of an adversary to gain information will necessarily induce some 
detectable errors. We show the robustness of the proposed protocol mainly in a reduction way, with the only difference that 
there is an assumption on the attacker. In this protocol, attackers are not all-powerful since they are supposed to be unable to 
distinguish the almost classical party’s random choices when a string of unknown qubits arrive. 

Secure against an eavesdropper Eve between Alice and Bob. We first consider a special case that Eve exists only 
between Alice and Bob without knowing the delegated server. Then from the perspective of Eve, since nearly classical Bob 
can delegates all his quantum operations to Charlie for obtaining the corresponding results, the proposed protocol (Protocol 
1) can be reduced to a protocol (Protocol 2) where Alice and Bob implement a quantum key distribution protocol, similar to 
the famous BB84 protocol^^ with modifications that Bob randomly discards some qubits, or applies Pauli gates on them and 
measures some of them in the bases R or D at random. Thus Protocol 2 can obtain the similar level of security as the BB84 
protocol, but sacrificing qubit efficiency, and so is the Protocol 1 in this case. Eor example, we can suppose Eve intercepts 
all the qubits and measures them in the bases chosen by himself. As Eve cannot know which positions Bob chose to apply 
Pauli operators and perform measurements, in each position she only has a probability of 1/4 to guess the two choices right and 
escapes from being detected with the probability 1/44-1/4*1/2-1-1/4*1/2-1-1/4*1/2 = 5/8. Then the probability that Eve 
goes undetected is (5/8)", compared with (3/4)" of the BB84 protocol. 

Secure against an untrusted server CharUe. In a more general scenario, Charlie may be dishonest and also attempt to 
obtain some information about the shared key between Alice and Bob. We can assume there is no other third-party eavesdroppers 
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Figure 1 . An example for the proposed SQKD protocol. 


since their attacks can be absorbed into an attack initiated by a malicious Charlie. In addition, there should be an authenticated 
classical channel between Alice and Bob that is normal in SQKD protocols. The classical channel from Charlie to Bob is 
unnecessary but better to be authenticated, since an authenticated channel can increase the successful rate of the protocol. From 
the server Charlie’s view of Protocol 1, he preforms the protocol similar to the reviewed DQC protocol*^ with Bob, and also 
can intercept and operate on all the qubits that were sent by Alice to Bob like an eavesdropper. We consider the security in two 
cases according to whether Charlie initiates eavesdropping on the quantum channel between Alice and Bob. 

If Charlie does not wiretap when Alice sends qubits to Bob, the security of Protocol 1 mainly depends on the employed 
DQC protocol. Thus Protocol 1 can be reduced to a modified DQC protocol, namely Protocol 3, which can be modeled as 
follows: 

(DT) Alice sends to Bob a state | y/) of A qubits, each of which is either |0), 11), |+), or |—). The state | y/) can be obtained 
by applying quantum one-time pad on another state |0) with two key strings K1 and K2, namely |y/) = Zs/fi When Bob 

receives each qubit, he randomly decides to discard it or transmit it to Charlie. So the state | (p) that Charlie receives is a totally 
random subsystem of |i/). It can be seen that Bob encrypts |vf) to get |(p). 

(D2’) Charlie implements corresponding quantum computation U on |(p) using the reviewed DQC protocol.'^ 

(D3’) Different from the step D3 in the reviewed protocol, Charlie not only returns Bob the resultant state U\(p), but also 
sends Bob the measurement outcomes of half qubits of U\(p) randomly chosen by Bob. 

According to the security analysis in Ref. 15, Charlie cannot learn anything about U\\j/) and jy/) from U\(p). Even if in the 
step D3’, Charlie are required to perform measurements on some quibts, which can be regarded as that Bob asks for classical 
output instead of quantum output. Bob still should not find any information about t/| y/) and ji//), otherwise the reviewed DQC 
protocol*^ cannot keep the client’s data private. Thus, Protocol 1 is as secure as Protocol 3 before public discussion. 

The process of public discussion is not only used for Alice and Bob to obtain the shared sifted key bits, but also provides a 
method to verify whether Charlie follows the protocol to some extent. Although Alice and Bob reveal the bases of qubits where 
they have the same choices, Charlie still cannot learn the bits since he does not know which qubits Bob chose Pauli X or Z 
operations and thus cannot know whether he should flip the measurement outcomes or not. In addition, if Charlie alters the 
transmission or does not perform the operations as required, extra disagreements will be induced on some of the bits that Alice 
and Bob think they should agree. 

If Charlie controls the quantum channel from Alice to Bob, the security of Protocol 1 does not just depend on the employed 
DQC protocol since the qubits that Bob receives may not be the real ones from Alice. We consider the worst case that Charlie 
intercepts all the qubits sent by Alice and replaces them with his own ones, such as those randomly chosen from {|0), |1)} 
instead of {|0), |1)}, |-|-), |—)}. Then no matter which qubits Bob chose to forward in step S2, Charlie can distinguish these 
orthogonal states and learn Bob’s choices. Similarly, Charlie also can figure out Bob’s further choices in step S4 by measuring 
all the coming qubits in the same basis R. By doing so, Charlie can learn whatever Bob does. However, during the public 
discussion, for each position that Alice and Bob chose the same basis, there still has a disagreement between Alice and Bob 
with a probability 1 /2 since Charlie did not know the original states that Alice prepared. So the probability that Charlie is not 
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noticed is (1 /2)" which approaches zero when n is big enough. 

Comparisons. 

In existing SQKD protocols , one party with limited quantum power usually needs to perform three or four of the following 
quantum operations: (1) prepare qubits in the computational basis {|0), |1)}, (2) measure qubits in the computational basis 
{|0), |1)}, (3) reorder qubits, and (4) access quantum channels, while in the proposed protocol, the party needs to implement 
only operation (4). In other words, compared with the related work, our main contribution is that the quantum requirement that 
one party should have the ability of preparing and measuring qubits in the computational basis, or reordering qubits in typical 
SQKD protocols is removed and thus such party is more classical. The detailed comparisons between the given protocol and 
some typical ones are shown in Fig. 2. 
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Figure 2. Comparisons among several SQKD protocols. 


Discussion 

We have proposed a SQKD protocol by employing secure DQC where almost classical Bob who does not require quantum 
capability or quantum memory and only needs to access quantum channels can establish a shared key with quantum Alice. The 
quantum resources of one party in our protocol is restricted to the minimum, so more users will have chances to participate 
quantum key distribution and enjoy its advantage. We also have provided an application of the DQC protocol on encrypted 
data recently presented in Ref. 15 and offered a verification method for it to some extent. Furthermore, this is the first time to 
build a bridge between QKD and DQC, the combination of which will play a significant role in the advancement of secure 
distributed quantum applications, and throw lights on designing future quantum hybrid networks where quantum cryptographic 
communication and quantum computation are to be implemented. 

However, we have to achieve this more practical SQKD protocol at the cost of sacrificing qubit efficiency which is only 
12.5%, compared with 25% of the typical SQKD protocol.^ It can be significantly improved if relaxing quantum requirements 
of the party with restricted power, such as allowing him to have memory for reordering qubits, but quantum memory is not an 
easy task with current technology. How to increase the key rate in the proposed SQKD protocol will be the future work. 
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